Concerned about whether the WD My Cloud is vulnerable to the Shellshock exploit, if so, then what can we do to mitigate it until an update is released.

Well, the version of bash on the 3.x firmware is vulberable.

WDMyCloud:~# export testbug=‘() { :;}; echo VULNERABLE’

WDMyCloud:~# bash -c “echo Hello”

VULNERABLE

Hello

WDMyCloud:~# uname -a

Linux WDMyCloud 3.2.26 #1 SMP Fri Dec 27 13:50:41 PST 2013 armv7l GNU/Linux

WDMyCloud:~# bash --version

GNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabihf)

Copyright (C) 2011 Free Software Foundation, Inc.

I’m going to guess that the latetst release is as well, but I’m not ready to run it.

http://www.infoq.com/news/2014/09/bash-remote-exploit covers the topic

There are two bugs.  The latest of them was foind after the latest release.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

If your MyCloud is not accessilble from the open internet you may be OK.

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability also says some more.  I don’t think the MyCloud exposes any vulnerable services.

Version 4 firmware appears to be vulnerable as well.

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this threat seriously and is working on a patch to address this issue.

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability also says some more.  I don’t think the MyCloud exposes any vulnerable services.

Following the instructions on that link:

apt-get install --only-upgrade bash

I get only that “bash is already the newest version.” So much for that then?

No. You simply have to update the package list before you do that. So, from a root shell, first type

apt-get update

And only then

apt-get install --only-upgrade bash

Note that the upgrade process may ask you to confirm the replacement of various files. I’d go with the defaults it offers.

I upgraded bash a couple of days ago with the instructions provided by  Tom_Haney. This appears to have fixed the shellshock bug when tested with the provided “env x = …” string.

The sources provided by WD didn’t include the upgraded package. So I needed to add a source first (maybe this isn’t necessairy anymore, I don’t know…)

BTW I’m using v3 firmware

Anyway, here’s a tutorial for anyone interested, for bash 4.3-11 (at the time this post was last edited)

Backup your sources.list

cp /etc/apt/sources.list /etc/apt/sources.list.bak

Edit sources.list to have the correct source

echo deb http://ftp.us.debian.org/debian/ jessie main > /etc/apt/sources.list

Update the package list

apt-get update

Get bash 4.3-11 package

apt-get install --only-upgrade bash

Install the package

sudo dpkg -i --force-overwrite /var/cache/apt/archives/bash_4.3-11+b1_armhf.deb

Move back your original sources.list

mv -f /etc/apt/sources.list.bak /etc/apt/sources.list

PS: when installing the package, if it outputs “no file found”, then the bash version might have changed (updated). If so just check which file is downloaded and use that instead. Use the following command to see which bash package was downloaded:

ls /var/cache/apt/archives/

RealSkeptic wrote:

No. You simply have to update the package list before you do that. So, from a root shell, first type

apt-get update

Yeah, yeah… I meant I still got that outcome even after I did the update first.

I’ll try what joskevermeulen suggested.

joskevermeulen:

Oh sweet Jesus, that worked beautifully. Thank you, thank you, thank you!

Yes, the version had changed, so many thanks also for the tip for finding the correct one!

EDIT: I’m using v3 firmware as well.

joskevermeulen wrote:

I upgraded bash a couple of days ago with the instructions provided by  Tom_Haney. This appears to have fixed the shellshock bug when tested with the provided “env x = …” string.

The sources provided by WD didn’t include the upgraded package. So I needed to add a source first (maybe this isn’t necessairy anymore, I don’t know…)

BTW I’m using v3 firmware

Anyway, here’s a tutorial for anyone interested, for bash 4.3-9.1 (at that time)

Backup your sources.list

cp /etc/apt/sources.list /etc/apt/sources.list.bak

Edit sources.list to have the correct source

echo deb http://ftp.us.debian.org/debian/ jessie main > /etc/apt/sources.list

Update the package list

apt-get update

Get bash 4.3-9.1 package

apt-get install --only-upgrade bash

Install the package

sudo dpkg -i --force-overwrite /var/cache/apt/archives/bash_4.3-9.1_armhf.deb

Move back your original sources.list

mv -f /etc/apt/sources.list.bak /etc/apt/sources.list

PS: when installing the package, if it outputs “no file found”, then the bash version might have changed (updated). If so just check which file is downloaded and use that instead. Use the following command to see which bash package was downloaded:

ls /var/cache/apt/archives/

pinax wrote:

joskevermeulen:

Oh sweet Jesus, that worked beautifully. Thank you, thank you, thank you!

No problem, I updated my post to use the current bash_4.3-9.2_armhf.deb file.

However, I did some further testing on the shellshock bug and got this results:

CVE-2014-6271  PASS

CVE-2014-7169  PASS

CVE-2014-7186  FAIL 

CVE-2014-7187  PASS

And 2 more vulnerabilities have been reported by the linux community. So you’re not out of the woods yet…

Thanks for the heads-up!

Since I get updates on this thread, it would be terrific if you would be so kind as to amend your post if/when you get new information. I suppose as new vulnerabilities are discovered, the procedure would be the same–i.e., keep bash updated whenever possible?

Thanks again; this has been really helpful.

When attempting to upgrade, I am receiving an error. See output below:

apt-get install --only-upgrade bash

Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
bash-doc
Recommended packages:
bash-completion
The following packages will be upgraded:
bash
1 upgraded, 0 newly installed, 0 to remove and 289 not upgraded.
Need to get 0 B/1098 kB of archives.
After this operation, 1289 kB of additional disk space will be used.
VULNERABLE
dpkg: warning: files list file for package ‘libssh2-1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libxau6:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘liblockfile1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libkrb5-3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libwrap0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtagc0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libapr1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libcap2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libglib2.0-0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libgphoto2-port0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpng12-0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtalloc2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libevent-2.0-5:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libedit2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libldap-2.4-2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libavahi-client3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libgphoto2-2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtag1c2a:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘liblua5.1-0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpkcs11-helper1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpcre3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libdb5.3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libavahi-common3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libsensors4:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libx11-6:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libnfsidmap2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libbsd0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libavahi-common-data:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libjpeg8:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libnss-winbind:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libsasl2-2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libsasl2-modules:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libcurl3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libaprutil1-ldap:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtirpc1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libaprutil1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libkrb5support0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘librtmp0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpcap0.8:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libdevmapper1.02.1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libexpat1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libltdl7:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libkeyutils1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libreadline5:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libantlr3c-3.2-0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libasound2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libxcb1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtdb1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libxpm4:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libtag1-vanilla:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘liblzo2-2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libogg0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libaprutil1-dbd-sqlite3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libfontconfig1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libmagic1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libk5crypto3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libgssglue1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libjson-c2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libunistring0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libwbclient0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libfuse2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libgssapi-krb5-2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libparted0debian1:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libgd2-xpm:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libconfuse0:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libexif12:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libffi5:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libflac8:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libdbus-1-3:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libxml2:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libfreetype6:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libxdmcp6:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpam-cap:armhf’ missing; assuming package has no files currently installed
dpkg: warning: files list file for package ‘libpam-winbind:armhf’ missing; assuming package has no files currently installed
(Reading database … 24463 files and directories currently installed.)
Preparing to replace bash 4.2+dfsg-0.1 (using …/bash_4.3-9.2_armhf.deb) …
VULNERABLE
Unpacking replacement bash …
dpkg: error processing /var/cache/apt/archives/bash_4.3-9.2_armhf.deb (–unpack):
trying to overwrite ‘/etc/bash.bashrc’, which is also in package wd-nas 02.50.00-149675
VULNERABLE
VULNERABLE
update-alternatives: error: alternative path /usr/share/man/man7/bash-builtins.7.gz doesn’t exist
Errors were encountered while processing:
/var/cache/apt/archives/bash_4.3-9.2_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any advice?

Hi Bill, how will we know when there is a patch to the Bash vulnerability on the WD My Cloud products?

Thanks.

I will announce it.

MecDog wrote:

Any advice?

The dpkg warnings are normal, I had them too. But the other errors and especially “VULNERABLE” don’t really make any sense to me, sorry.

BTW: A new version of bash is available (4.3-10), I’ve updated my original post. Unfortunately, the same bug I mentioned earlier is still present…

I’m not sure how this vulnerability would be used in this machine " my cloud normal users", but is easy to patch, I only need a few minutes for recompile bash-4.3 for use in WD My Cloud Firmware 4.0.1.623.

Before update:

GNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabihf)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
CVE-2014-6271 (original shellshock): VULNERABLE
bash: line 17: 12025 Segmentation fault shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 50: 12042 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable

After recompile bash with security patches

GNU bash, version 4.3.30(1)-release (armv7l-unknown-linux-gnueabihf)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable

I think WD can fix this problem easy.

 Regards

alex873 wrote:

I’m not sure how this vulnerability would be used in this machine " my cloud normal users", but is easy to patch

Care to elaborate on the steps taken?

You only need rebuild bash for 64k page

#get source
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
while [true]; do i=`expr $i + 1`; wget -N https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i); if [$? -ne 0]; then break; fi; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for p in `ls ../bash43-[0-9][0-9][0-9]`; do patch -p0 < $p; done
./configure && make

Copy new bash to /bin on WDMC.

if you needed i can upload my bash 4.3 patch.

Regards

Thanks for the explanation.

However this didn’t work for me, the patch command doesn’t get recognized:

-bash: patch: command not found

I’m on v3 firmware, bash version 4.3.27(1). I assume this is only possible with the gcc toolchain?

Hello, of course you need install toolchain to build new bash also you can find in this forum guide to build packages.